Since setting up our new Cisco ASA I have noticed the following event in the ASDM logs very frequently:
Deny UDP reverse path check from 10.0.x.x to 10.0.255.255 on interface outside
10.0.x.x is always an IP on the same subnet as the inside interface of the ASA, but the IP changes all the time. We have other subnets at remote locations that are behind the ASA (10.1.x.x, etc) but these never generate the event. Also, the 10.0.255.255 part is sometimes 255.255.255.255.
This doesn't appear to be causing any problems, it's just an annoyance. My only guess at this point is that it's related to my routing setup on the ASA, which is:
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 (x.x.x.x is boundary router)
Hi .. the events are generated because the ASA is protecting your network from Ip spoofing. PLease see the below explanations about this feature which I guess it must be enabled on your outside interface.
ip verify reverse-path
To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To
disable this feature, use the no form of this command. Unicast RPF guards against IP spoofing (a packet
uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source
IP address that matches the correct source interface according to the routing table.
Thanks Fernando. I know that's what is happening but due to the high frequency of the errors I thought I may have misconfigured something. I only see that error on 10.0.x.x addresses and only on the outside interface, but I don't see how a 10.0.x.x address could even be coming into that interface because it's not a valid IP. I thought what might be happening is that I had something misconfigured, so when valid addresses were coming in from my side the ASA could not verify them - not because the address is invalid, but because there is a problem with the reverse-path.
Again, I only see it with IP addresses on my local subnet (which is a school district office). I never see it on IP addresses from the remote school sites, which is what I would expect since that's where the students are.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...